Need Help on Difficult GPO Requirement

  • Thread starter Thread starter Joe Mowry
  • Start date Start date
J

Joe Mowry

Ladies and Gentleman,
I've been trying for the last couple of weeks in my spare time to
accomplish assigning GPO's to restrict and lockdown Drive access,
internet access, and other service and apply an Excel policy to set
general options and lock down other fucntions.

I have a single Domain (Domain1)
Multiple Global Groups in Domain1
File and print server (PFserver.domain1)
Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
application Excel No Desktop.

My problem is this. There is a global group (Budgets) that access
Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
users in the Budgets group I need to highly restrict access to Drive
access, internet access through Excel, mapping network drives and
apply the Excel policy which sets items in the general tab.

What I've done so far which works like gangbusters but affects all the
desk/lap tops even when not in/accessing the Citrix app through the
Citrix Client. Caused a massive load to the call center when they
logged on and couldn't do anything on their local machine.
*******
Created an OU (CITRIXTS) Direct parent is Domain1
Created Policy (CTX-SERVERS) and Added the two citrix servers and the
Budget group as members and configured the (computer policy only)
Linked this GP to Domain1
Created Policy (CTX-Excel ) and added two citrix servers and the
Budget group. Configured the user policy here removing Drive access
though Windows Explorer and My Computer and setting the Excel portions
of the policy.
Linked to Domain1
When both were linked all hell broke loose. The Citrix servers and
Excel was just the way it was supposed to be. But the desk/lap tops
now had all the settings even when not in the Citrix Client.

My goal is to have this group of users to always have the established
domain1 policy when not in/accessing the Citrix Client and have the
full power of the GPO's applied only when using the Citrix Client to
access the Restricted Citrix Environment.

Anyone got a good idea on how to do this?
All help would be greatly appreciated.

Thanks all,
Joe Mowry
Sr. Technical Flunky
Just when the light come on and I start to see things clearly
comes the brownout and the fuse blows.
 
Hi Joe.

Loopback processing of Group Policy is what you want to look at. What loopback
processing does is to apply user configuration for a GPO in an OU to apply to all
users that logon to computers in that OU in either a merge or replace mode. The users
do not, nor should not reside in the OU where loopback processing is applied. Then
when users logon to computers that are not in an OU where loopback processing is
enabled, they will have normal user configuration applied to their domain user
account. See the link below for more details and how to configure. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
 
Steven,
Thanks for the info. The one sentence in the linked article finally
sank in. The problem is This Windows 2000 domain is in Mixed mode.
And the loopback won't work in this case. Also, some of the computers
are/will still be quite possibly old 95 and 98. So guess I gotta try
something else. Could leave it the way it is. But don't like the idea
that the users can see the system drives.

Thanks for the help Steven,
Joe
 
Do you still have NT4 domain controllers hanging around
on the domain? If not, then you don't need to be in
mixed mode anymore, and that might solve your problem.

Ken
 
Hi Joe.

I believe that it can work in mixed mode - at least partially for users on W2K
computers. The article refers to a pure W2K environment which means that the user
account and computer account must exist on a W2K domain controller. Mixed mode means
that you can still have NT4.0 BDC's on your domain. You can have downlevel domain
members in a W2K native domain - just no NT4.0 BDC. You might also want to post in
the win2000.terminalservices newsgroup for best way to handle W9X computer users in
your configuration. --- Steve
 
Steven, Ken,
Still SOL on this one. I still have NT4.0 (SP6) BDC'S 7 to be exact.
Plans are completed to upgrade these 7 but its stretched out from now
till the middle of next year. If it were just the OS Upgrade Could
probably do it by year end. But the hardware is at end of life too, so
plan is to do both at the same time.

You guys have been great. Thanks for all the help. Too, I'll post
questions also in the other news group.

Joe
 
Back
Top